Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

BlackCat/ALPHV Ransomware Tussles With the FBI | #ransomware | #cybercrime | #hacking | #aihp

  • Global law enforcement disclosed three significant busts this week: BlackCat ransomware, Kingdom Market, and 3,500 online fraudsters.
  • BlackCat, also known as the ALPHV ransomware syndicate, is fighting back, having already retaken control of its dark website at least a few times.

Just hours after an FBI-led coordinated law enforcement action against the ALPHV ransomware seized control of its Tor leak site, members of the gang claimed to have reclaimed control over the site.

On Tuesday, the Department of Justice confirmed that the FBI gained access to the underground cybercriminal group’s network, which helped it monitor its activities for months and seize its websites in December. The BlackCat leak site was previously inaccessible on December 7, which the group attributed to a hardware issue.

According to the FBI, as of September 2023, the ALPHV/BlackCat ransomware gang has earned $300 million in ransom proceeds from over 1,000 victims globally.

The FBI also got a hold of decryption keys, which it released for victims, thus helping 500 affected organizations regain control of their data and help save $68 million in ransom demands.

“This was a significant intervention by law enforcement. BlackCat has been the second most prolific ransomware variant according to NCC Group’s leak data statistics,” Matt Hull, global head for Strategic Threat Intelligence at NCC Group, told Spiceworks.

“The FBI cites BlackCat have compromised over 1000 entities globally. This number is higher than the data we have (624), but our dataset is based purely on the number of BlackCat victims who have had data exposed in a ‘leak site’. This provides us with some insight into the number of compromised organizations that have been able to avoid having their data published, either because they have negotiated with the ransomware operators, or have paid their demands.”

“The BlackCat ransomware group has had some high-profile victims. It had risen to prominence in a relatively short space of time, and the individuals behind the ransomware developed a highly effective set of tooling and a business model to meet the demand of its users.”

The FBI took over the BlackCat ransomware leak site with the help of 946 public/private key pairs for Tor sites that it used to host victim communication sites, leak sites, and affiliate panels with the help of a “Confidential Human Source (CHS) who routinely provides reliable information related to ongoing cybercrime investigations.” CHS is simply law enforcement jargon for an informant who, going by the language in an affidavit unsealed in a Southern District of Florida court, responded to an ad and applied for a position as a BlackCat affiliate.

After taking over the prolific ransomware gang’s infra, the FBI displayed the following banner:

ALPHV, BlackCat Ransomware Leak Site Seized Banner

ALPHV, BlackCat Ransomware Leak Site Seized Banner

Roger Grimes, data-driven defense evangelist at KnowBe4, told Spiceworks, “They are likely just to reform under another name. Still, anytime the good guys can disrupt the bad guys it’s a great day for all that is good.”

See More: Xfinity Suffers a Massive Data Breach, 35.9M Customers Need to Reset Passwords Immediately

Well, yes. That is usually the standard operating procedure threat actors whose infra is busted take. However, the ALPHV ransomware gang is taking a road less traveled. The outfit took back control of the leak site and wrote: “This website has been unseized.”

Members of the BlackCat ransomware gang could do that not because they regained access to its infrastructure but because they also had access to the keys the FBI obtained. Using these keys, the gang could create a new site using the same .onion address with a new server.

Whoever makes the most recent changes to the underlying configuration will get to display the latest message. This triggered a dark web tussle between the second-most successful ransomware gang today and the mighty U.S. government.

ALPV BlackCat Ransomware Unseized MessageALPV BlackCat Ransomware Unseized Message

ALPV/BlackCat Ransomware Unseized Message

However, the ALPV/BlackCat ransomware seems to have been going all out in retaliation by quashing some of the rules it had in place for its ransomware-as-a-service operations. This includes hospitals and nuclear power plants in the purview of their attacks.

The message reads: “The maximum that they have is the keys for the last month and a half, it’s about 400 companies, but now more than 3,000 companies will never receive their keys because of them.”

“Because of their actions we are introducing new rules, or rather eliminating ALL the rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere.”

The group added that they are increasing affiliate cut to 90%, possibly to incentivize affiliates to stay back. According to vx-underground, the Lockbit ransomware is already trying to poach ALPHV/BlackCat group’s developers and affiliates.

Other cybercriminal busts this week

The ALPHV/BlackCat website takedown isn’t the only cybersecurity success story (despite the group’s counter) this week. The German Federal Criminal Police Office collaborated with Europol, the FBI and other international agencies to take down the darknet marketplace Kingdom Market.

With 42,000 listings, Kingdom Market was extensively engaged in the illicit drug trade. However, the marketplace, which emerged in March 2021, was also leveraged as a platform to sell malware, personal information, and documents (forged) and served as an avenue for cybercriminals to offer their services.

The takedown also includes arresting a Slovakian national, Alan Bill, aka ‘Vend0r’ or ‘KingdomOfficial.’ 

Additionally, Interpol disclosed that another international operation led to the arrest of 3,500 individuals who carried out voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.

Funded by South Korea and participated in by 34 countries, Operation HAECHI IV also led to the seizure of $300 million, $199 million of which was in hard currency and $101 million in virtual assets. Law enforcement also blocked 82,112 suspicious bank accounts.

Is law enforcement doing enough to contain cybercrime? Share with us on LinkedInOpens a new window